DNS sslip Corrections

Issue: Nextcloud OIDC login returns “Could not reach the OpenID Connect provider”

Symptom: Visiting https://nextcloud.192.168.0.215.sslip.io/apps/user_oidc/login/1 returns HTTP 404 with the error page: “Could not reach the OpenID Connect provider.”

Root Cause

Two issues in Nextcloud’s HTTP client configuration that blocked outbound requests to the Keycloak OIDC provider at id.192.168.0.215.sslip.io:

  1. Nextcloud DNS pinning (local address restriction): CoreDNS rewrites *.192.168.0.215.sslip.io to the NGINX ingress controller’s ClusterIP (10.110.37.102). Nextcloud’s DnsPinMiddleware (lib/private/Http/Client/DnsPinMiddleware.php:139) blocks HTTP requests to private/local IPs as an SSRF prevention measure, throwing OCP\Http\Client\LocalServerException: Host "10.110.37.102" (id.192.168.0.215.sslip.io:80) violates local access rules.

  2. Self-signed TLS certificate: The Keycloak ingress uses a self-signed TLS certificate generated by Helm. The user_oidc app’s HttpClientHelper rejects it by default.

Changes applied

Ran inside the Nextcloud pod (kubectl exec deploy/nextcloud -- php occ config:system:set ...):

SettingValuePurpose
allow_local_remote_serverstrueBypasses DNS pinning for local addresses (allows HTTP requests to ClusterIPs)
user_oidc.httpclient.allowselfsignedtruePermits the user_oidc HTTP client to accept self-signed TLS certificates

Verification